There is a severe vulnerability in OpenSSL’s implementation of the TLS/DTLS
(transport layer security protocols) heartbeat extension (RFC6520).
This a serious vulnerability which has been assigned the CVE identifier
CVE-2014-0160.

Exploitation may lead to disclosure of memory contents from the server to the
client and from the client to the server. An attacker can remotely retrieve
sensitive data from memory, including, but not limited to secret keys used for
SSL encryption and authentication tokens.

To verify the version of OpenSSL currently installed with Ruby,
use the following:

ruby -ropenssl -e 'puts OpenSSL::OPENSSL_VERSION'

You can verify if your client software or a running service are vulnerable
by using emboss’s script.

Solutions

To upgrade to the latest version of OpenSSL version 1.0.1g or newer,
you should check with your current operating system package manager to ensure
they provide an up-to-date OpenSSL. You may need to consult with your
operating system distributor to verify their version of OpenSSL is patched,
regardless of the version number available.

If upgrade is not an option, recompile a patched OpenSSL with the
option -DOPENSSL_NO_HEARTBEATS at build time.

With an upgraded OpenSSL, it’s recommended to recompile Ruby to ensure
there are no links to a vulnerable version of OpenSSL.

This means updating any tools used to build Ruby such as RVM or ruby-build.
If you build Ruby yourself, use the --with-openssl-dir option at
compile time to link an upgraded OpenSSL install directory.

After upgrading OpenSSL and Ruby, it’s important to restart all programs
using the vulnerable version.

Many operating system distributions already provide (or will soon be
providing) patched versions and rebuilt packages for libraries vulnerable to
this attack. It’s important to monitor your operating system distributor to
ensure you remain secure.